How Millennials Are Shaping Security
You can learn more than you think from a Saturday Night Live skit.
Last fall, singer Miley Cyrus took the reigns as host. In a skit poking fun of millennials, Cyrus plays the role of a stereotypical 20-something in the workplace. She acts entitled, mentions she needs to go to the South of France "to get some perspective," and stares at her phone the entire time while her employer attempts to have a conversation.
The whole thing is overacted and exaggerated (not to mention, very funny), but it's humorous because there's a grain of truth to it: Millennials love their phones, and this truth doesn't stop when they walk through the office door. This new reality has profound implications now that millennials are the largest generation in the workforce, and I would argue especially when it comes to security and keeping corporate data safe.
While every generation is now mobile, millennials still spend more time on their devices than any other— especially on social media. A recent study shows the average millennial will use their device for four hours a day. You better believe some of that time is spent at work. If you want to recruit and retain younger talent, letting them freely use their phones is a requisite.
Corporate Bring Your Own Device (BYOD) programs are being adopted to address this and encourage employees to be productive on mobile. The benefits are clear: More employees using their mobile devices means they can work wherever they are, and take advantage of services and applications that help them do their job better—from email to collaboration software to field apps and even operational things like expense reports.
It isn't only devices that millennials are bringing to work – they're bringing apps and services, too. We know and love services like Dropbox, Evernote and Google Photos. Millennials will want to work with and use the tools they love. If left uncontrolled, corporate data I have access to may end up uploaded to Dropbox, sensitive notes from meetings end up on Evernote's servers and every whiteboard diagram I snap a photo of ends up getting uploaded to Google Photos.
Yet, while employees may love that flexibility, this presents a whole slew of new problems for businesses, namely hundreds of unmanaged devices and apps that could put an enterprise at risk. This is something current mobile device management solutions used to roll out BYOD programs don't address. Worker devices are likely to include corporate secrets and other sensitive data on them, and the more endpoints the higher the risk for exposure. What if an employee loses the device, for instance? What if an employee mistakenly downloads a malicious app from a third-party app store and infects the phone with malware? Or, what if a legitimate app an employee uses has a security hole that puts the whole organization at risk?
These are critical questions for any IT organization to ask and answer, but once again it's important to do so with the unique aspects of the the millennial workforce in mind. This brings me to another point.
Security programs of the future must be fluid and embrace "gray areas"
It used to be that security programs were designed like a new building—you would create the infrastructure and once that was in place, determine that the organization is safe. Put in behind the firewall, wipe your hands clean and move on. Today, the firewall is dead in large part thanks to millennials and other mobile-obsessed workers who have obliterated corporate borders. The old model no longer works in the fast-paced world of today's cybercrime, and because of how today's millennial employees interact with technology and their mobile devices.
While corporations have thankfully evolved their approach beyond the firewall, I still see two major problems with how organizations manage security in relation to millennials:
First, approaches are far too rigid. Too frequently we see IT security programs that assume employees will be using the same software and technologies in the same way for the foreseeable future. This just isn't the case. Think about Slack. A year or two ago, relatively few companies were using it but that's changed pretty drastically. Millennials pride themselves on having the latest tech, and aren't hesitant to try new things. Consider smartphones themselves, which are no longer an iOS vs. Android dichotomy thanks to newcomers like CyanogenMod and Xiaomi. The younger generation is much more likely to experiment with these new offerings, and IT needs to constantly be apprised of adoption and determining implications for the corporate security program.
Second, and related to the idea of rigidity, is over reliance on blacklisting and whitelisting. For those of you who don't run in security circles, this is essentially when an IT organization deems a certain app safe/acceptable to use in the workplace—or the opposite. For instance, if IT determines an app is risky or a distraction to employees (such as Snapchat), they can blacklist it from operating on the network. Or so they think. The truth is this approach works much better in theory than in practice. Millennials need their social media fix and they will get around policies that don't respect their latest obsession. Don't want them to use Facebook at work? Too bad—they will find a way to post the latest vacation photo whether you like it or not. IT needs to accept this reality, and be able to compromise with employees on how they can be safe and secure together. Agility and compromise sets the tone for security culture. If IT is reasonable and flexible, employees are more likely to respond with flexibility and understanding, not to mention be more responsive to other security requests.
The future for millennials and security
Having a new generation of workers who grew up on mobile is forcing corporate security approaches to evolve, arguably for the better. It's a more flexible and realistic approach. By embracing the reality that employees need and want access to new technologies, their phones and the apps they love—and working together to find ways to let them do it in a secure way—everyone wins.
One way to not win? Continuing to think of millennials using their phones at work and for work as the punchline for a skit, instead of a fact of life.